Fortinet NSE7_PBC-7.2 Exam Practice Test Instant Access

Question 1

Refer to the exhibit.

What would be the impact of confirming to delete all the resources in Terraform?

AIt destroys all the resources in the . tfvars file

BIt destroys all the resources tied to the AWS Identity and Access Management (1AM) user.

CIt destroys all the resources in the resource group

DIt destroys all the resources in the state file.

DIt destroys all the resources in the state file.
Terraform State File Role: The terraform.tfstate file contains a real-time mapping of the resources that Terraform manages, including their current configuration and relationships. This file tracks the actual state of resources provisioned by Terraform.
Impact of Destruction: When Terraform prompts for confirmation to destroy resources, and 'yes' is entered, Terraform reads the state file and systematically removes all the resources that are managed as part of that state. This is not limited to a specific .tfvars file, IAM user, or resource group---it is a global action that affects all resources tracked by the state file associated with the current Terraform workspace and configuration.

Answer : D, D

Confirming to delete all the resources in Terraform will have the following impact:

Question 2

How does Terraform keep track of provisioned resources?

AIt uses the terraform. tf state file

BTerraform does not keep the state of resources created

CIt uses the terraform. tfvars file.

DIt uses the database. tf file.

Answer : A

Terraform manages and tracks the state of infrastructure resources through a file known as terraform.tfstate. This file is automatically created by Terraform and is updated after the application of a Terraform plan to capture the current state of the resources.

State File Purpose: The terraform.tfstate file contains a JSON object that records the IDs and properties of resources Terraform manages, so that it can map real-world resources to your configuration, keep track of metadata, and improve performance for large infrastructures.

State File Management: This file is crucial for Terraform to perform resource updates, deletions, and for creating dependencies. It's essentially the 'source of truth' for Terraform about your managed infrastructure and services.

Question 3

Which statement about immutable infrastructure in automation is true?

AIt is the practice of deploying a new server for every configuration change

BIt is the practice of modifying the existing server configuration after it is deployed

CIt is the practice of deploying two parallel servers for high availability.

DIt is the practice of applying hotfixes and OS patches after deployment

Answer : A

The statement that best describes the concept of immutable infrastructure in the context of automation is:

A . It is the practice of deploying a new server for every configuration change.

Immutable Infrastructure Concept: This approach to infrastructure management involves replacing servers or components entirely rather than making changes to existing configurations once they are deployed. When a change is needed, a new server instance is provisioned with the desired configuration and the old one is decommissioned after the new one is successfully deployed and tested.

Benefits: Immutable infrastructure minimizes the risks associated with in-place updates, such as inconsistencies or failures due to configuration drift. It enhances reliability and predictability by ensuring that the deployed environment matches exactly what was tested in staging. This practice is particularly aligned with modern deployment strategies like blue/green or canary deployments.

Question 4

You are adding a new spoke to the existing transit VPC environment using the AWS Cloud Formation template. Which two components must you use for this deployment? (Choose two.)

AThe OSPF AS value used for the hub.

BThe Amazon CloudWatch tag value.

CThe BGPASN value used for the transit VPC.

DThe tag value of the spoke

Answer : C, D

When using an AWS CloudFormation template to add a new spoke to an existing transit VPC environment, the necessary components are:

The BGPASN value used for the transit VPC (Option C): BGP Autonomous System Number (ASN) is required for setting up BGP routing between the transit VPC and the new spoke. This number uniquely identifies the system in BGP routing and is crucial for correct routing and avoiding routing conflicts.

The tag value of the spoke (Option D): Tags in AWS are used to identify and manage resources. The tag value assigned to a spoke VPC helps in organizing, managing, and locating the VPC within the larger AWS environment. Tags are essential for automation scripts and policies that depend on specific identifiers to apply configurations or rules.

Question 5

Which two Amazon Web Services (AWS) features do you use for the transit virtual private cloud (VPC) automation process to add new spoke N/PCs? (Choose two )

AAmazon S3 bucket

BAWS Security Hub

CAWS Transit Gateway

DAmazon CloudWatch

Answer : A, C

Question 6

Refer to the exhibit

In your Amazon Web Services (AWS), you must allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet However, your HTTPS connection to the FortiGate VM in the Customer VPC is not successful.

Also, you must ensure that the Customer VPC FortiGate VM sends all the outbound Internet traffic through the Security VPC How do you correct this Issue with minimal configuration changes?

(Choose three.)

A. Add a route With your local internet public IP address as the destination and target transit gateway

BAdd route destination 0 0.0 0/0 to target the transit gateway

CAdd a route With your local internet public IP address as the destination and target internet gateway

DDeploy an internet gateway, associate an EIP in the private subnet, edit route tables, and add a new route destination 0.0.0.0/0 to the target internet gateway

EDeploy an internet gateway, associate an EIP in the public subnet, and attach the internet gateway to the Customer VPC,

Answer : B, D, E

B . Add route destination 0.0.0.0/0 to target the transit gateway.This will ensure that the Customer VPC FortiGate VM sends all the outbound internet traffic through the Security VPC, where it can be inspected by the Security VPC FortiGate VMs1.The transit gateway is a network device that connects multiple VPCs and on-premises networks in a hub-and-spoke model2. D. Deploy an internet gateway, associate an EIP in the private subnet, edit route tables, and add a new route destination 0.0.0.0/0 to the target internet gateway.This will allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, by creating a public route for the private subnet where the FortiGate VM is located3.An internet gateway is a service that enables communication between your VPC and the internet4. An EIP is a public IPv4 address that you can allocate to your AWS account and associate with your resources. E. Deploy an internet gateway, associate an EIP in the public subnet, and attach the internet gateway to the Customer VPC.This will also allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, by creating a public route for the public subnet where the FortiGate VM is located3. This is an alternative solution to option D, depending on which subnet you want to use for the FortiGate VM.

The other options are incorrect because:

Adding a route with your local internet public IP address as the destination and target transit gateway will not allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, because it will only apply to traffic coming from your specific IP address, not from any other source on the internet1.Moreover, it will not ensure that the outbound internet traffic goes through the Security VPC, because it will only apply to traffic going to your specific IP address, not to any other destination on the internet1.

Adding a route with your local internet public IP address as the destination and target internet gateway will not allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, because it will bypass the Security VPC and send the traffic directly to the Customer VPC1.Moreover, it will not ensure that the outbound internet traffic goes through the Security VPC, because it will only apply to traffic going to your specific IP address, not to any other destination on the internet1.

Question 7

Refer to the exhibit

Consider the active-active load balance sandwich scenario in Microsoft Azure.

What are two important facts in the active-active load balance sandwich scenario? (Choose two )

AIt uses the vdom-exception command to exclude the configuration from being synced

BIt is recommended to enable NAT on FortiGate policies.

CIt uses the FGCP protocol

DIt supports session synchronization for handling asynchronous traffic.

Answer : B, D

B . It is recommended to enable NAT on FortiGate policies.This is because the Azure load balancer uses a hash-based algorithm to distribute traffic to the FortiGate instances, and it relies on the source and destination IP addresses and ports of the packets1.If NAT is not enabled, the source IP address of the packets will be the same as the load balancer's frontend IP address, which will result in uneven distribution of traffic and possible asymmetric routing issues1.Therefore, it is recommended to enable NAT on the FortiGate policies to preserve the original source IP address of the packets and ensure optimal load balancing and routing1. D. It supports session synchronization for handling asynchronous traffic.This means that the FortiGate instances can synchronize their session tables with each other, so that they can handle traffic that does not follow the same path as the initial packet of a session2.For example, if a TCP SYN packet is sent to FortiGate A, but the TCP SYN-ACK packet is sent to FortiGate B, FortiGate B can forward the packet to FortiGate A by looking up the session table2. This feature allows the FortiGate instances to handle asymmetric traffic that may occur due to the Azure load balancer's hash-based algorithm or other factors.

The other options are incorrect because:

It does not use the vdom-exception command to exclude the configuration from being synced.The vdom-exception command is used to exclude certain configuration settings from being synchronized between FortiGate devices in a cluster or a high availability group3. However, in this scenario, the FortiGate devices are not in a cluster or a high availability group, but they are standalone devices with standalone configuration synchronization enabled. This feature allows them to synchronize most of their configuration settings with each other, except for some settings that identify the FortiGate to the network, such as the hostname.

It does not use the FGCP protocol. FGCP stands for FortiGate Clustering Protocol, which is used to synchronize configuration and state information between FortiGate devices in a cluster or a high availability group. However, in this scenario, the FortiGate devices are not in a cluster or a high availability group, and they use standalone configuration synchronization instead of FGCP.

Fortinet NSE7_PBC-7.2 Fortinet NSE 7 - Public Cloud Security 7.2 Exam Practice Test